...
 
Commits (3)
sudo (1.8.27-1+deb10u2) buster; urgency=medium
* Non-maintainer upload.
* Fix a buffer overflow when pwfeedback is enabled and input is a not a tty
(CVE-2019-18634) (Closes: #950371)
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 02 Feb 2020 08:41:42 +0100
sudo (1.8.27-1+deb10u1) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
......
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Wed, 29 Jan 2020 20:15:21 -0700
Subject: Fix a buffer overflow when pwfeedback is enabled and input is a not a
tty. In getln() if the user enters ^U (erase line) and the write(2) fails,
the remaining buffer size is reset but the current pointer is not. While
here, fix an incorrect break for erase when write(2) fails. Also disable
pwfeedback when input is not a tty as it cannot work. CVE-2019-18634 Credit:
Joe Vennix from Apple Information Security.
Origin: https://github.com/sudo-project/sudo/commit/b5d2010b6514ff45693509273bb07df3abb0bf0a
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18634
Bug-Debian: https://bugs.debian.org/950371
--HG--
branch : 1.8
[Salvatore Bonaccorso: Backport to 1.8.27 for context changes]
---
src/tgetpass.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/src/tgetpass.c
+++ b/src/tgetpass.c
@@ -60,7 +60,7 @@ static volatile sig_atomic_t signo[NSIG]
static bool tty_present(void);
static void tgetpass_handler(int);
-static char *getln(int, char *, size_t, int, enum tgetpass_errval *);
+static char *getln(int, char *, size_t, bool, enum tgetpass_errval *);
static char *sudo_askpass(const char *, const char *);
static int
@@ -123,6 +123,7 @@ tgetpass(const char *prompt, int timeout
static const char *askpass;
static char buf[SUDO_CONV_REPL_MAX + 1];
int i, input, output, save_errno, neednl = 0, need_restart;
+ bool feedback = ISSET(flags, TGP_MASK);
enum tgetpass_errval errval;
debug_decl(tgetpass, SUDO_DEBUG_CONV)
@@ -170,7 +171,7 @@ restart:
*/
if (!ISSET(flags, TGP_ECHO)) {
for (;;) {
- if (ISSET(flags, TGP_MASK))
+ if (feedback)
neednl = sudo_term_cbreak(input);
else
neednl = sudo_term_noecho(input);
@@ -184,6 +185,9 @@ restart:
}
}
}
+ /* Only use feedback mode when we can disable echo. */
+ if (!neednl)
+ feedback = false;
/*
* Catch signals that would otherwise cause the user to end
@@ -209,7 +213,7 @@ restart:
if (timeout > 0)
alarm(timeout);
- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval);
+ pass = getln(input, buf, sizeof(buf), feedback, &errval);
alarm(0);
save_errno = errno;
@@ -345,7 +349,7 @@ sudo_askpass(const char *askpass, const
extern int sudo_term_eof, sudo_term_erase, sudo_term_kill;
static char *
-getln(int fd, char *buf, size_t bufsiz, int feedback,
+getln(int fd, char *buf, size_t bufsiz, bool feedback,
enum tgetpass_errval *errval)
{
size_t left = bufsiz;
@@ -374,15 +378,15 @@ getln(int fd, char *buf, size_t bufsiz,
while (cp > buf) {
if (write(fd, "\b \b", 3) == -1)
break;
- --cp;
+ cp--;
}
+ cp = buf;
left = bufsiz;
continue;
} else if (c == sudo_term_erase) {
if (cp > buf) {
- if (write(fd, "\b \b", 3) == -1)
- break;
- --cp;
+ ignore_result(write(fd, "\b \b", 3));
+ cp--;
left++;
}
continue;
......@@ -3,3 +3,4 @@ paths-in-samples.diff
Whitelist-DPKG_COLORS-environment-variable.diff
sudo_minus_1_uid.diff
strtoid_minus_1_test_fix.diff
Fix-a-buffer-overflow-when-pwfeedback-is-enabled-and.patch